PHI of 42,000 Patients Exposed Due to Server Misconfiguration

The protected health information of 42,000 patients of a New York medical practice was exposed online because of a misconfigured server. A security researcher discovered the problem by accessing the data but it is not known if others have accessed the data.

Chris Vickery, director of cyber risk research at Upguard discovered the server misconfiguration on January 25, 2018. He explained in his March 26 blog post that the exposed port was often used for remote synchronization (rsync). Because of the misconfiguration, instead of just limiting access to specific whitelisted IP addresses, anyone who knows the server’s IP address was able to access the data.

There were a few exposed sections in the repository. One was named backupwscohen, which was accessible to the public. It contained files with highly sensitive information. Another was a virtual hard drive that contained the details of staff such as spouse details, names of children and Social Security numbers (in some cases). The Outlook pst file, which contained a huge amount of email communications was also accessible. There was also a database that contained the information of 42,000 patients including names, birth dates, addresses, phone numbers, email addresses, health insurance information, Social Security numbers, ethnicities and clinical notes with over 3 million observations.

Vickery found that the accessible information came from the Huntington, New York medical practice of Cohen, Bergman, Klepper & Romano MDs’ PC. Vickery had several attempts of contacting the doctors since February 12 to tell them about the data breach. He tried contacting them directly, via the local hospital and even through databreaches.net. But it was only on March 19 that the physicians received the message and took action to secure the server. All patients’ PHI has been secured.